Strange message on update script, possible hack

RKopacz's picture

Forgive if this is the wrong place to ask this question, but I am trying to determine what is wrong with a site I maintain.

When attempting to run an update script, I got this message:

An AJAX HTTP error occurred. HTTP Result Code: 200 Debugging information follows. Path: /batch?id=142&op=do StatusText: OK ResponseText: {"status":true, "percentage":"12", "message":"Trying to check available update data ...\u003Cbr \u002F\u003EChecked available update data for \u003Cem class=\u0022placeholder\u0022\u003EBlock Class\u003C\u002Fem\u003E."} Air Jordan 12 (XII) 2012 New Packaging Air Jordan 10 - Blue/White 2013 New Balance 2013 Air Retro 3 Yellow Purple Mens shoes Air Jordan 5 (V) Air Max Lebron 10 Low document.getElementById("urlss-20130710-1").style.display="none"

I don't want to touch the site until I have investigated this fully. If this is the wrong place to ask this question, any advice as to where I should post it.

Thanks in advance for any guidance.

Comments

You are right, this does

larowlan's picture

You are right, this does appear to be a hacked site.
Update.php and indeed anything that requires json/ajax relies on the response being well-formed json.
This messages seems to indicate that something is being appended to the markup 'Air Jordon' etc resulting in a JavaScript error because the response can't be parsed.
You need to find where this junk is being appended.
Suggested actions:
*Download the hacked module (drupal.org/project/hacked) and run a 'hacked diff report' which will show you if any of your downloaded core or contrib modules have been modified.
*Grep your code base for this content
*Failing that is might be in your database, so take a backup of your database and grep the resultant file.

thanks so much

RKopacz's picture

I can't thank you enough for this guidance. I'll report back after doing this and let you know the outcome, in case anybody else has this problem.

Usually this is text added in

greggles's picture

Usually this is text added in index.php that was placed through a vulnerability in some other way (e.g. your sftp credentials or a malicious account on your server) and not via a vulnerability in Drupal.

Larowlan's advice on how to find it is solid.

Yep Good call

RKopacz's picture

Yep, greggles, you got it right. It was in fact added into the index.php file, and yes, Larowlan's advice was extremely helpful. Looked like FTP login was swiped somehow, insofar as I found more than a dozen rogue PHP files in root and other places. deleted them all and they returned, which worries me, but that is not a Drupal issue. Dealing with the hosting company now.

Kind, kind thanks for all your guidance!

rk

Security

Group organizers

Group events

Add to calendar

Group notifications

This group offers an RSS feed. Or subscribe to these personalized, sitewide feeds:

Hot content this week